Sep 04 2012

Human Resources Security and ISO 27001

Category: ISO 27kDISC @ 3:19 pm
English: A candidate icon for Portal:Computer ...

Pre-Employment Background Investigations for Public Safety Professionals

One of the most popular misconceptions about ISO27001 is that this standard may only deal with IT related information security controls. The truth is ISO27001 covers information security controls for several different business functions of an organization including human resources.

Section 8 of ISO27001 specification in annex A is regarding human resources security. Human resources domain addresses three different stages of the employment: pre-employment, during employment and post employment. In this post we will address the importance of pre-employment controls for personnel who may manage ISMS or handle the sensitive information in an organization. Control A8.1 deals with pre-employment. The basic objective of this control is to minimize the loss of information which may occur but not limited to fraud and human mishandling. This control requires organization to document the roles, responsibilities and accountability to manage and maintain ISMS (Information Security Management System)

Control A8.1.2 requires organization to perform verification checks on permanent employees, contractors and third parties. Any screening must be carried out in accordance with the relevant local laws. This may be especially true for the international organizations which have presence around the world. Control A8.1.3 requires organization to ensure that the employees, contractors and third parties all agree and sign the employment contract that contains terms and conditions covering, their and the organization’s responsibilities for information security.

Below are the basic job verification checks which must be completed:

  1. Character reference check for at least one personal and one business reference. Take comprehensive notes for the records.
  2. Verify the accuracy of employee’s resume.
  3. Conformation of academic and professional qualifications.
  4. Passport verification for identity check
  5. Verify that an individual has an authorization to work in the country

Bear in mind the personnel vetting process may vary for government jobs or for the personnel handling highly classified material/data.

Tags: Human resources, Information Security Management System, iso 27001, ISO/IEC 27001

Leave a Reply

You must be logged in to post a comment. Login now.